npx skills add mukul975/Anthropic-Cybersecurity-SkillsMITRE ATT&CK
NIST CSF 2.0
When to Use
- When enforcing organizational security policies across Kubernetes clusters programmatically
- When requiring admission control that blocks non-compliant resources from being created
- When implementing policy governance that can be version-controlled, tested, and audited
- When standardizing security rules across multiple clusters and environments
- When needing a flexible policy engine that extends beyond Kubernetes to APIs and CI/CD
Do not use for vulnerability scanning (use Trivy/Checkov), for runtime threat detection (use Falco), or for network policy enforcement (use Kubernetes NetworkPolicy or Calico).
Prerequisites
- Kubernetes cluster with admin access for Gatekeeper installation
- Helm for Gatekeeper deployment
- OPA CLI or conftest for local policy testing
- Rego knowledge for policy authoring
Workflow
Step 1: Install OPA Gatekeeper
# Install Gatekeeper via Helm
helm repo add gatekeeper https://open-policy-agent.github.io/gatekeeper/charts
helm install gatekeeper gatekeeper/gatekeeper \
--namespace gatekeeper-system --create-namespace \
--set replicas=3 \
--set audit.replicas=1 \
--set audit.writeToRAMDisk=trueStep 2: Create Constraint Templates
# templates/k8s-required-labels.yaml
apiVersion: templates.gatekeeper.sh/v1
kind: ConstraintTemplate
metadata:
name: k8srequiredlabels
spec:
crd:
spec:
names:
kind: K8sRequiredLabels
validation:
openAPIV3Schema:
type: object
properties:
labels:
type: array
items:
type: string
targets:
- target: admission.k8s.gatekeeper.sh
rego: |
package k8srequiredlabels
violation[{"msg": msg}] {
provided := {label | input.review.object.metadata.labels[label]}
required := {label | label := input.parameters.labels[_]}
missing := required - provided
count(missing) > 0
msg := sprintf("Missing required labels: %v", [missing])
}
---
# templates/k8s-container-limits.yaml
apiVersion: templates.gatekeeper.sh/v1
kind: ConstraintTemplate
metadata:
name: k8scontainerlimits
spec:
crd:
spec:
names:
kind: K8sContainerLimits
validation:
openAPIV3Schema:
type: object
properties:
cpu:
type: string
memory:
type: string
targets:
- target: admission.k8s.gatekeeper.sh
rego: |
package k8scontainerlimits
violation[{"msg": msg}] {
container := input.review.object.spec.containers[_]
not container.resources.limits.cpu
msg := sprintf("Container %v has no CPU limit", [container.name])
}
violation[{"msg": msg}] {
container := input.review.object.spec.containers[_]
not container.resources.limits.memory
msg := sprintf("Container %v has no memory limit", [container.name])
}
---
# templates/k8s-block-privileged.yaml
apiVersion: templates.gatekeeper.sh/v1
kind: ConstraintTemplate
metadata:
name: k8sblockprivileged
spec:
crd:
spec:
names:
kind: K8sBlockPrivileged
targets:
- target: admission.k8s.gatekeeper.sh
rego: |
package k8sblockprivileged
violation[{"msg": msg}] {
container := input.review.object.spec.containers[_]
container.securityContext.privileged == true
msg := sprintf("Privileged container not allowed: %v", [container.name])
}
violation[{"msg": msg}] {
container := input.review.object.spec.initContainers[_]
container.securityContext.privileged == true
msg := sprintf("Privileged init container not allowed: %v", [container.name])
}Step 3: Apply Constraints
# constraints/require-labels.yaml
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequiredLabels
metadata:
name: require-team-labels
spec:
enforcementAction: deny
match:
kinds:
- apiGroups: [""]
kinds: ["Namespace"]
- apiGroups: ["apps"]
kinds: ["Deployment", "StatefulSet"]
excludedNamespaces:
- kube-system
- gatekeeper-system
parameters:
labels:
- "team"
- "environment"
- "cost-center"
---
# constraints/block-privileged.yaml
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sBlockPrivileged
metadata:
name: block-privileged-containers
spec:
enforcementAction: deny
match:
kinds:
- apiGroups: [""]
kinds: ["Pod"]
- apiGroups: ["apps"]
kinds: ["Deployment", "DaemonSet", "StatefulSet"]
excludedNamespaces:
- kube-systemStep 4: Test Policies with conftest
# Install conftest
brew install conftest
# Test Kubernetes manifests against OPA policies locally
conftest test deployment.yaml --policy policies/ --output json
# Test Terraform against OPA policies
conftest test terraform/main.tf --policy policies/terraform/ --parser hcl2
# Test Dockerfiles
conftest test Dockerfile --policy policies/docker/# policies/kubernetes/deny_latest_tag.rego
package kubernetes
deny[msg] {
input.kind == "Deployment"
container := input.spec.template.spec.containers[_]
endswith(container.image, ":latest")
msg := sprintf("Container %v uses :latest tag. Pin to specific version.", [container.name])
}
deny[msg] {
input.kind == "Deployment"
container := input.spec.template.spec.containers[_]
not contains(container.image, ":")
msg := sprintf("Container %v has no tag. Pin to specific version.", [container.name])
}Step 5: Integrate Policy Testing in CI/CD
# .github/workflows/policy-test.yml
name: Policy Validation
on:
pull_request:
paths: ['k8s/**', 'terraform/**', 'policies/**']
jobs:
conftest:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Install conftest
run: |
wget -q https://github.com/open-policy-agent/conftest/releases/download/v0.50.0/conftest_0.50.0_Linux_x86_64.tar.gz
tar xzf conftest_0.50.0_Linux_x86_64.tar.gz
sudo mv conftest /usr/local/bin/
- name: Test K8s manifests
run: conftest test k8s/**/*.yaml --policy policies/kubernetes/ --output json
- name: Test Terraform
run: conftest test terraform/*.tf --policy policies/terraform/ --parser hcl2Key Concepts
| Term | Definition |
|---|---|
| OPA | Open Policy Agent — general-purpose policy engine using Rego language for policy decisions |
| Rego | OPA's declarative query language for writing policy rules |
| Gatekeeper | Kubernetes-native OPA integration implementing admission control via ConstraintTemplates |
| ConstraintTemplate | CRD defining the Rego policy logic and parameters schema for a class of constraints |
| Constraint | Instance of a ConstraintTemplate with specific parameters and scope (which resources to check) |
| Admission Controller | Kubernetes component that intercepts API requests before persistence and can allow or deny them |
| conftest | CLI tool for testing structured data (YAML, JSON, HCL) against OPA policies |
Tools & Systems
- Open Policy Agent (OPA): General-purpose policy engine for unified policy enforcement
- Gatekeeper: Kubernetes admission controller built on OPA with CRD-based configuration
- conftest: Testing framework for OPA policies against configuration files
- Kyverno: Alternative Kubernetes policy engine using YAML-based policies (no Rego required)
- Styra DAS: Commercial OPA management platform with policy authoring, testing, and distribution
Common Scenarios
Scenario: Enforcing Container Security Standards Across Clusters
Context: Multiple development teams deploy to shared Kubernetes clusters. Some teams run privileged containers and images without resource limits, causing security and stability issues.
Approach:
- Deploy Gatekeeper on all clusters via GitOps (Helm chart in a FluxCD repository)
- Create ConstraintTemplates for: no privileged containers, required resource limits, required labels, no latest tag
- Start with
enforcementAction: warnto identify violations without blocking deployments - Notify teams of violations and provide a 2-week remediation window
- Switch to
enforcementAction: denyafter the remediation period - Add
excludedNamespacesfor kube-system and monitoring namespaces
Pitfalls: Deploying Gatekeeper with deny mode immediately can break existing workloads. Always start with warn mode. Overly restrictive policies without exemptions for system namespaces can prevent cluster components from functioning.
Output Format
OPA Policy Evaluation Report
==============================
Cluster: production-east
Date: 2026-02-23
Gatekeeper Version: 3.16.0
CONSTRAINT SUMMARY:
K8sRequiredLabels: 12 violations (warn)
K8sBlockPrivileged: 0 violations (deny)
K8sContainerLimits: 8 violations (deny)
K8sBlockLatestTag: 3 violations (deny)
BLOCKED DEPLOYMENTS (deny):
[K8sContainerLimits] deployment/api-server in ns/payments
- Container 'api' has no memory limit
[K8sBlockLatestTag] deployment/frontend in ns/web
- Container 'nginx' uses :latest tag
AUDIT VIOLATIONS (warn):
[K8sRequiredLabels] namespace/staging
- Missing labels: {cost-center}References and resources
Everything below is rendered for inspection. Script files are read-only and never run.
References 3
api-reference.md4.0 KB
API Reference: Open Policy Agent (OPA) Policy-as-Code
Libraries Used
| Library | Purpose |
|---|---|
requests |
HTTP client for OPA REST API |
json |
Parse OPA decision responses |
subprocess |
Run opa eval and opa test CLI commands |
yaml |
Parse Kubernetes admission review objects |
Installation
# OPA binary
curl -L -o opa https://openpolicyagent.org/downloads/latest/opa_linux_amd64_static
chmod 755 opa && sudo mv opa /usr/local/bin/
# Python dependencies
pip install requests pyyamlOPA REST API Endpoints
| Method | Endpoint | Description |
|---|---|---|
| PUT | /v1/policies/{id} |
Create or update a policy module |
| GET | /v1/policies/{id} |
Retrieve a policy module |
| DELETE | /v1/policies/{id} |
Delete a policy module |
| GET | /v1/policies |
List all policy modules |
| PUT | /v1/data/{path} |
Create or overwrite a document |
| GET | /v1/data/{path} |
Evaluate a rule or retrieve data |
| POST | /v1/data/{path} |
Evaluate a rule with input |
| PATCH | /v1/data/{path} |
Patch a data document |
| POST | /v1/query |
Execute ad-hoc Rego query |
| POST | /v1/compile |
Partially evaluate a query |
| GET | /health |
Health check (liveness) |
| GET | /health?bundles |
Health check including bundle status |
Core Operations
Upload a Rego Policy
import requests
import os
OPA_URL = os.environ.get("OPA_URL", "http://localhost:8181")
policy_rego = """
package authz
default allow := false
allow if {
input.user.role == "admin"
}
allow if {
input.user.role == "editor"
input.action == "read"
}
"""
resp = requests.put(
f"{OPA_URL}/v1/policies/authz",
data=policy_rego,
headers={"Content-Type": "text/plain"},
timeout=10,
)
resp.raise_for_status()Evaluate a Policy Decision
decision_input = {
"input": {
"user": {"role": "editor", "name": "alice"},
"action": "read",
"resource": "/api/reports",
}
}
resp = requests.post(
f"{OPA_URL}/v1/data/authz/allow",
json=decision_input,
timeout=10,
)
result = resp.json()
allowed = result.get("result", False) # TrueUpload Data Documents
role_permissions = {
"admin": ["read", "write", "delete", "admin"],
"editor": ["read", "write"],
"viewer": ["read"],
}
resp = requests.put(
f"{OPA_URL}/v1/data/roles",
json=role_permissions,
timeout=10,
)List All Policies
resp = requests.get(f"{OPA_URL}/v1/policies", timeout=10)
policies = resp.json().get("result", [])
for p in policies:
print(f" {p['id']} — {len(p.get('raw', ''))} bytes")OPA CLI Reference
# Evaluate a policy locally
opa eval -i input.json -d policy.rego "data.authz.allow"
# Run Rego unit tests
opa test ./policies/ -v
# Check policy syntax
opa check policy.rego
# Format Rego files
opa fmt -w policy.rego
# Start OPA as a server
opa run --server --addr :8181 ./policies/ ./data/
# Build an OPA bundle
opa build -b ./policies/ -o bundle.tar.gzKubernetes Gatekeeper Integration
apiVersion: templates.gatekeeper.sh/v1
kind: ConstraintTemplate
metadata:
name: k8srequiredlabels
spec:
crd:
spec:
names:
kind: K8sRequiredLabels
validation:
openAPIV3Schema:
type: object
properties:
labels:
type: array
items:
type: string
targets:
- target: admission.k8s.gatekeeper.sh
rego: |
package k8srequiredlabels
violation[{"msg": msg}] {
provided := {l | input.review.object.metadata.labels[l]}
required := {l | l := input.parameters.labels[_]}
missing := required - provided
count(missing) > 0
msg := sprintf("Missing required labels: %v", [missing])
}Output Format
{
"decision_id": "a1b2c3d4-e5f6-7890-abcd-ef1234567890",
"result": true,
"policy": "data.authz.allow",
"input": {
"user": {"role": "admin"},
"action": "delete",
"resource": "/api/users/42"
}
}standards.md1.1 KB
Standards Reference: Policy as Code with OPA
NIST SP 800-53 - Security and Privacy Controls
| Control | OPA Policy | Description |
|---|---|---|
| AC-3 | Block unauthorized access | Enforce RBAC and namespace isolation |
| AC-6 | Least privilege | Block privileged containers and host access |
| CM-2 | Baseline configuration | Require resource limits and labels |
| CM-6 | Configuration settings | Enforce approved image registries |
| SI-7 | Software integrity | Require image signatures and digests |
CIS Kubernetes Benchmark Mapping
- 5.1.1: Ensure RBAC is enabled → OPA can enforce RBAC policies
- 5.2.1: Minimize privileged containers → K8sBlockPrivileged constraint
- 5.2.2: Minimize host namespace sharing → Block hostNetwork/hostPID
- 5.2.5: Ensure allowPrivilegeEscalation is false → OPA constraint
- 5.7.1: Create administrative boundaries between resources → Namespace policies
OWASP Kubernetes Security Cheat Sheet
- Enforce Pod Security Standards via admission control
- Restrict container capabilities using OPA policies
- Enforce network policies and resource quotas
- Validate image provenance and signatures
workflows.md1.9 KB
Workflow Reference: Policy as Code with OPA
Policy Lifecycle
Author Rego Policy
│
▼
┌──────────────────┐
│ Unit Test with │
│ OPA test │
└──────┬───────────┘
│
▼
┌──────────────────┐
│ Integration Test │
│ with conftest │
└──────┬───────────┘
│
▼
┌──────────────────┐
│ Deploy to Cluster│
│ (warn mode) │
└──────┬───────────┘
│
▼
┌──────────────────┐
│ Monitor + Triage │
│ Violations │
└──────┬───────────┘
│
▼
┌──────────────────┐
│ Switch to deny │
│ mode │
└──────────────────┘OPA/Gatekeeper Architecture
API Request → Kubernetes API Server → Gatekeeper Webhook
│
┌──────┴──────┐
│ OPA Engine │
│ (Rego eval) │
└──────┬──────┘
│
┌──────┴──────┐
│ Constraint │
│ Templates │
└──────┬──────┘
│
Allow / DenyScripts 2
agent.py9.3 KB
#!/usr/bin/env python3
"""Open Policy Agent (OPA) policy-as-code agent.
Evaluates security policies against infrastructure configurations using
the OPA REST API or CLI. Supports evaluating Rego policies for Kubernetes
admission control, Terraform plans, IAM policies, and custom security rules.
"""
import argparse
import json
import os
import subprocess
import sys
from datetime import datetime, timezone
try:
import requests
except ImportError:
requests = None
def find_opa_binary():
"""Locate the OPA binary on the system."""
custom_path = os.environ.get("OPA_PATH")
if custom_path and os.path.isfile(custom_path):
return custom_path
for name in ["opa", "opa.exe"]:
for directory in os.environ.get("PATH", "").split(os.pathsep):
full_path = os.path.join(directory, name)
if os.path.isfile(full_path):
return full_path
return None
def eval_policy_cli(opa_bin, policy_path, input_path, data_path=None, query="data"):
"""Evaluate a Rego policy using OPA CLI."""
cmd = [opa_bin, "eval", "--format", "json"]
cmd.extend(["--bundle", policy_path])
if input_path:
cmd.extend(["--input", input_path])
if data_path:
cmd.extend(["--data", data_path])
cmd.append(query)
print(f"[*] Running: {' '.join(cmd)}")
result = subprocess.run(
cmd,
capture_output=True,
text=True,
timeout=120,
)
if result.returncode != 0:
print(f"[!] OPA error: {result.stderr}", file=sys.stderr)
return None
try:
return json.loads(result.stdout)
except json.JSONDecodeError:
print(f"[!] Failed to parse OPA output", file=sys.stderr)
return None
def eval_policy_api(opa_url, policy_path, input_data):
"""Evaluate a policy via OPA REST API."""
if not requests:
print("[!] 'requests' library required for API mode", file=sys.stderr)
sys.exit(1)
url = f"{opa_url}/v1/data/{policy_path.replace('.', '/')}"
print(f"[*] Querying OPA API: {url}")
resp = requests.post(
url,
json={"input": input_data},
timeout=30,
)
resp.raise_for_status()
return resp.json()
def test_policies(opa_bin, policy_dir):
"""Run OPA test suite against policy directory."""
cmd = [opa_bin, "test", "--format", "json", policy_dir, "-v"]
print(f"[*] Running policy tests: {' '.join(cmd)}")
result = subprocess.run(
cmd,
capture_output=True,
text=True,
timeout=120,
)
try:
test_results = json.loads(result.stdout)
except json.JSONDecodeError:
test_results = []
return test_results, result.returncode
def check_policy_syntax(opa_bin, policy_path):
"""Check Rego policy syntax."""
cmd = [opa_bin, "check", "--format", "json", policy_path]
result = subprocess.run(
cmd,
capture_output=True,
text=True,
timeout=30,
)
if result.returncode == 0:
print(f"[+] Policy syntax valid: {policy_path}")
return True, []
try:
errors = json.loads(result.stdout)
except json.JSONDecodeError:
errors = [{"message": result.stderr}]
print(f"[!] Syntax errors in {policy_path}")
return False, errors
def extract_violations(eval_result, violation_key="violations"):
"""Extract policy violations from OPA evaluation result."""
violations = []
if not eval_result:
return violations
results = eval_result.get("result", [])
if isinstance(results, list):
for entry in results:
bindings = entry.get("bindings", {})
expressions = entry.get("expressions", [])
for expr in expressions:
value = expr.get("value", {})
if isinstance(value, dict):
for key, val in value.items():
if key == violation_key and isinstance(val, list):
violations.extend(val)
elif isinstance(val, dict):
nested_violations = val.get(violation_key, [])
if isinstance(nested_violations, list):
violations.extend(nested_violations)
elif isinstance(results, dict):
violations = results.get(violation_key, [])
return violations
def format_summary(violations, test_results, policy_path, input_path):
"""Print evaluation summary."""
print(f"\n{'='*60}")
print(f" OPA Policy Evaluation Report")
print(f"{'='*60}")
print(f" Policy : {policy_path}")
print(f" Input : {input_path or 'N/A'}")
print(f" Violations: {len(violations)}")
if test_results:
passed = sum(1 for t in test_results if t.get("pass", t.get("result") == "pass"))
failed = len(test_results) - passed
print(f" Tests : {passed} passed, {failed} failed")
if violations:
severity_counts = {}
for v in violations:
sev = "HIGH"
if isinstance(v, dict):
sev = v.get("severity", v.get("level", "HIGH"))
severity_counts[sev] = severity_counts.get(sev, 0) + 1
print(f"\n Violations by Severity:")
for sev, count in sorted(severity_counts.items()):
print(f" {sev:10s}: {count}")
print(f"\n Violation Details:")
for v in violations[:20]:
if isinstance(v, dict):
msg = v.get("msg", v.get("message", str(v)))
resource = v.get("resource", v.get("name", ""))
sev = v.get("severity", "HIGH")
print(f" [{sev:6s}] {resource:30s} | {msg[:60]}")
else:
print(f" {str(v)[:80]}")
return len(violations)
def main():
parser = argparse.ArgumentParser(
description="Open Policy Agent policy-as-code evaluation agent"
)
sub = parser.add_subparsers(dest="command", help="Action")
p_eval = sub.add_parser("eval", help="Evaluate policy against input")
p_eval.add_argument("--policy", required=True, help="Path to Rego policy or bundle dir")
p_eval.add_argument("--input", dest="input_file", help="Path to input JSON")
p_eval.add_argument("--data", help="Path to external data JSON")
p_eval.add_argument("--query", default="data", help="OPA query (default: data)")
p_eval.add_argument("--violation-key", default="violations",
help="Key in result containing violations")
p_api = sub.add_parser("api", help="Evaluate via OPA REST API")
p_api.add_argument("--url", default="http://localhost:8181", help="OPA server URL")
p_api.add_argument("--policy-path", required=True, help="OPA document path (e.g., authz.allow)")
p_api.add_argument("--input", dest="input_file", required=True, help="Input JSON file")
p_test = sub.add_parser("test", help="Run OPA test suite")
p_test.add_argument("--policy-dir", required=True, help="Directory containing policies and tests")
p_check = sub.add_parser("check", help="Check Rego syntax")
p_check.add_argument("--policy", required=True, help="Policy file or directory")
parser.add_argument("--output", "-o", help="Output JSON report path")
parser.add_argument("--verbose", "-v", action="store_true")
args = parser.parse_args()
if not args.command:
parser.print_help()
sys.exit(1)
opa_bin = find_opa_binary()
violations = []
test_results = []
if args.command == "eval":
if not opa_bin:
print("[!] OPA binary not found", file=sys.stderr)
sys.exit(1)
eval_result = eval_policy_cli(
opa_bin, args.policy, args.input_file, args.data, args.query
)
violations = extract_violations(eval_result, args.violation_key)
format_summary(violations, [], args.policy, args.input_file)
elif args.command == "api":
with open(args.input_file, "r") as f:
input_data = json.load(f)
eval_result = eval_policy_api(args.url, args.policy_path, input_data)
violations = extract_violations(eval_result)
format_summary(violations, [], args.policy_path, args.input_file)
elif args.command == "test":
if not opa_bin:
print("[!] OPA binary not found", file=sys.stderr)
sys.exit(1)
test_results, returncode = test_policies(opa_bin, args.policy_dir)
format_summary([], test_results, args.policy_dir, None)
elif args.command == "check":
if not opa_bin:
print("[!] OPA binary not found", file=sys.stderr)
sys.exit(1)
valid, errors = check_policy_syntax(opa_bin, args.policy)
if not valid:
for e in errors:
print(f" Error: {e}")
report = {
"timestamp": datetime.now(timezone.utc).isoformat(),
"tool": "Open Policy Agent",
"command": args.command,
"violations_count": len(violations),
"violations": violations,
"test_results": test_results,
"risk_level": (
"CRITICAL" if len(violations) > 10
else "HIGH" if len(violations) > 0
else "LOW"
),
}
if args.output:
with open(args.output, "w") as f:
json.dump(report, f, indent=2)
print(f"\n[+] Report saved to {args.output}")
elif args.verbose:
print(json.dumps(report, indent=2))
if __name__ == "__main__":
main()
process.py5.8 KB
#!/usr/bin/env python3
"""
OPA Policy Evaluation Pipeline Script
Runs conftest against Kubernetes manifests and Terraform files,
evaluates policy compliance, and generates reports.
Usage:
python process.py --manifests-dir ./k8s --policies-dir ./policies
python process.py --manifests-dir ./terraform --policies-dir ./policies --parser hcl2
"""
import argparse
import json
import os
import subprocess
import sys
from dataclasses import dataclass, field
from datetime import datetime, timezone
from pathlib import Path
@dataclass
class PolicyViolation:
file: str
rule: str
message: str
severity: str = "HIGH"
def run_conftest(manifests_dir: str, policies_dir: str,
parser: str = "yaml") -> dict:
"""Run conftest and return JSON results."""
files = []
extensions = {"yaml": [".yaml", ".yml"], "hcl2": [".tf"], "dockerfile": ["Dockerfile"]}
for ext in extensions.get(parser, [".yaml", ".yml"]):
files.extend(str(p) for p in Path(manifests_dir).rglob(f"*{ext}"))
if not files:
return {"results": [], "error": f"No {parser} files found in {manifests_dir}"}
cmd = [
"conftest", "test",
"--policy", policies_dir,
"--output", "json",
"--parser", parser
] + files
try:
proc = subprocess.run(cmd, capture_output=True, text=True, timeout=120)
if proc.stdout:
return {"results": json.loads(proc.stdout), "error": ""}
return {"results": [], "error": proc.stderr[:300]}
except subprocess.TimeoutExpired:
return {"results": [], "error": "conftest timed out"}
except FileNotFoundError:
return {"results": [], "error": "conftest not found"}
except json.JSONDecodeError:
return {"results": [], "error": "Failed to parse conftest output"}
def parse_conftest_results(results: list) -> list:
"""Parse conftest JSON results into violations."""
violations = []
for result in results:
filename = result.get("filename", "unknown")
for failure in result.get("failures", []):
violations.append(PolicyViolation(
file=filename,
rule=failure.get("metadata", {}).get("rule", "unknown"),
message=failure.get("msg", ""),
severity="HIGH"
))
for warning in result.get("warnings", []):
violations.append(PolicyViolation(
file=filename,
rule=warning.get("metadata", {}).get("rule", "unknown"),
message=warning.get("msg", ""),
severity="MEDIUM"
))
return violations
def check_gatekeeper_violations(namespace: str = "") -> list:
"""Query Gatekeeper audit violations from the cluster."""
cmd = ["kubectl", "get", "constraints", "-o", "json"]
if namespace:
cmd.extend(["-n", namespace])
try:
proc = subprocess.run(cmd, capture_output=True, text=True, timeout=30)
if proc.returncode != 0:
return []
data = json.loads(proc.stdout)
violations = []
for item in data.get("items", []):
status = item.get("status", {})
for v in status.get("violations", []):
violations.append(PolicyViolation(
file=f"{v.get('kind', '')}/{v.get('name', '')}",
rule=item.get("kind", ""),
message=v.get("message", ""),
severity="HIGH" if item.get("spec", {}).get("enforcementAction") == "deny" else "MEDIUM"
))
return violations
except (subprocess.TimeoutExpired, FileNotFoundError, json.JSONDecodeError):
return []
def main():
parser = argparse.ArgumentParser(description="OPA Policy Evaluation Pipeline")
parser.add_argument("--manifests-dir", required=True)
parser.add_argument("--policies-dir", required=True)
parser.add_argument("--parser", default="yaml", choices=["yaml", "hcl2", "dockerfile"])
parser.add_argument("--output", default="policy-report.json")
parser.add_argument("--fail-on-violations", action="store_true")
parser.add_argument("--check-cluster", action="store_true",
help="Also check Gatekeeper violations in cluster")
args = parser.parse_args()
violations = []
print(f"[*] Evaluating policies from {args.policies_dir} against {args.manifests_dir}")
result = run_conftest(os.path.abspath(args.manifests_dir),
os.path.abspath(args.policies_dir), args.parser)
if result.get("error"):
print(f"[WARN] {result['error']}")
else:
violations.extend(parse_conftest_results(result["results"]))
print(f" conftest: {len(violations)} violations")
if args.check_cluster:
cluster_violations = check_gatekeeper_violations()
violations.extend(cluster_violations)
print(f" cluster: {len(cluster_violations)} audit violations")
report = {
"metadata": {"date": datetime.now(timezone.utc).isoformat()},
"summary": {
"total_violations": len(violations),
"high": sum(1 for v in violations if v.severity == "HIGH"),
"medium": sum(1 for v in violations if v.severity == "MEDIUM")
},
"violations": [
{"file": v.file, "rule": v.rule, "message": v.message, "severity": v.severity}
for v in violations
]
}
output_path = os.path.abspath(args.output)
with open(output_path, "w") as f:
json.dump(report, f, indent=2)
print(f"[*] Report: {output_path}")
passed = len(violations) == 0
print(f"\n[{'PASS' if passed else 'FAIL'}] {len(violations)} policy violations found")
for v in violations[:10]:
print(f" [{v.severity}] {v.file}: {v.message[:100]}")
if args.fail_on_violations and not passed:
sys.exit(1)
if __name__ == "__main__":
main()